InfoSecAI is an independent UK consultancy. We work with boards, audit committees and senior security leaders to translate regulatory pressure, risk appetite and operational reality into governance, controls and evidence that hold up under scrutiny.
Three routes into the practice, by the situation in front of you. Each routes to the right advisory shape, the right deliverables and the right senior practitioner involvement.
Prepare a decision-ready pack, an assurance view or a regulator-facing narrative. Suitable when the next board, audit committee or regulator meeting is the forcing function.
Board & assurance route →Turn strategy, compliance or control gaps into a sequenced delivery plan. Suitable for vCISO support, programme stand-up or transformation that has lost momentum.
Senior leadership route →Classify use cases, define controls and produce accountable governance artefacts. Suitable when AI adoption is outpacing accountability or EU AI Act / ISO 42001 work is on the agenda.
AI governance route →Our practice is organised into four pillars covering leadership and strategy, governance, risk and compliance, AI security and governance, and security operations and engineering. Each pillar is led by the same senior practitioner team.
CISO advisory, cyber strategy, programme leadership, M&A diligence.
04 SERVICES → PILLAR 02ISO 27001, DORA, UK GDPR, assurance, maturity benchmarking, operational resilience.
05 SERVICES → PILLAR 03EU AI Act, ISO 42001, NIST AI RMF, model red-teaming.
04 SERVICES → PILLAR 04Incident response, cloud posture, architecture review, supply-chain risk.
04 SERVICES →Practitioner-built. AI-assisted for the structured tasks. Senior-reviewed for the judgement. Currently available through advisory-led private preview, with direct senior practitioner support. General availability anticipated H2 2026.
ISO 27001 · ISO 22301 · ISO 42001 · NIST CSF · NIST AI RMF · CIS Controls · Cyber Essentials.
EXPLORE GROUP →DORA · NIS 2 · EU AI Act · GDPR · UK GDPR. Legal text translated into operational work.
EXPLORE GROUP →SOC 1 · SOC 2. Trust Services Criteria mapped to ISO 27001 controls.
EXPLORE GROUP →Seven international standards underpin most senior security and AI governance programmes. Each is mapped to the management system, the controls, and the evidence auditors expect to see.
Seven UK and EU regulations at the centre of current senior practice. For each, a current reading of the statutory text, the supervisory guidance, and the control activity boards are now expected to evidence.
Security and AI governance expectations differ by sector. Each row shows the dominant regulatory anchor and the typical control set we work to.
FCA and PRA regulated firms, banks, building societies, fintechs, payment institutions and investment firms. Subject to ICT and operational resilience oversight under DORA, FCA SS1/21 and the PRA SMCR.
NHS trusts, ICBs, primary care networks, health-tech, life sciences, clinical research and adult social care. Subject to DSPT, National Data Guardian standards and MHRA cybersecurity expectations for connected devices.
Central government, local authorities, arm's length bodies, defence contractors and CNI operators. Subject to GovAssure, the NCSC Cyber Assessment Framework and the SCIDA arrangement.
SaaS providers, cloud platforms, AI and data businesses, marketplaces and developer tooling vendors. Subject to customer-driven SOC 2, ISO 27001 procurement gating, and EU AI Act provider/deployer obligations.
Public electronic communications providers, ISPs, MNOs, MVNOs and managed network providers. Subject to the Telecommunications (Security) Act 2021 and the TSA Code of Practice with OFCOM oversight.
Industrial manufacturers, OT environments, automotive, aerospace and connected-product engineering. Subject to NIS 2 essential and important entity duties through EU subsidiaries and IEC 62443 customer expectations.
Multichannel retailers, e-commerce platforms, marketplaces and consumer brands handling cardholder data. Subject to PCI DSS 4.0.1 and UK GDPR, with B2B customer security questionnaire activity.
Law firms, accountancy practices, management consultancies and senior advisory firms with significant client-data sensitivity. Subject to client security questionnaires, SRA Code and ISO 27001 customer expectations.
Board-ready papers, practitioner briefings and field notes for security and AI governance decisions. Authored by Paul Jolliffe, written for use inside the firm. Evergreen, reviewed on material regulatory change.
Seven decisions every UK board, audit committee chair and CISO should make before EU AI Act high-risk Annex III enforcement begins.
FOR · BOARD · AUDIT CMTEPillar-by-pillar self-check, third-party criticality matrix and the four-hour major incident notification clock.
FOR · CISO · OPRES · LEGALThirty control domains mapped across ISO 27001, NIST CSF, CIS, DORA, NIS 2, UK GDPR and the EU AI Act with ISO 42001.
FOR · CISO · 2LDA · AUDITThe working journal. Weekly dispatches on current regulatory positions, supervisory expectations and the questions clients are putting on the table. Distributed via The Brief.
Most organisations are now reporting against three or four frameworks at once. The same controls show up in ISO 27001, NIST CSF, CIS Controls, DORA and NIS 2, but the language differs and the evidence requirements diverge in places that matter at audit time.
Read the dispatch
Twenty years of international senior security leadership across the private and public sectors. Roles span Chief Information Security Officer, Head of Cyber Security, Head of Managed Security Services, and senior consulting and programme management.
Deep practice across the public and private sectors, including financial services, manufacturing, healthcare, energy, telecommunications, technology and professional services. Strategy aligned to ISO 27001, NIST, CIS Controls, DSPT and CAF, with compliance work spanning PCI DSS, GDPR and UK GDPR, NIS 2, and SOC 1 and 2.
InfoSecAI was founded in 2025 for organisations that require clarity, senior leadership and hands-on delivery, without adding complexity or treating compliance as a paperwork exercise.
Earlier career · Senior consulting, security product and programme leadership across IBM, KPMG, PwC and Deutsche Telekom (T-Systems).
Short dispatches on what is changing in UK and EU regulation, what supervisory teams are now asking, and the artefacts that hold up under scrutiny. No tracking pixels, no marketing automation, no upsell sequences. Unsubscribe in one click.
In thirty minutes we will clarify the decision, the regulatory or assurance pressure, the likely evidence gap, and the next practical move, whether or not InfoSecAI is the right delivery partner.
No pitch deck. A working conversation with a senior practitioner.